I tried again with your modified open_firmware.sh. I had some success, but also some failures as reported below:
1) sshd is not started, can only use telnet
2) I can telnet as an ordinary user but I see that /etc/shadow is still populated with users and passwords from a previous life. The root password is not cleared, even though I did check the box to clear the user config when flashing the new firmware with debug enabled. Note that I only updated the hddrootfs.img, having unchecked the boxes to update BOOT, KERNEL and initrd. I totally don't understand where it is caching the old password file, but there it is.
3) I managed to become root because I knew the old root password su - root works from telnet. I don't know whether clearing root password out with emergency.sh would have worked as well, since I didn't need to try.
4) I tried to start sshd using /etc/rc.d/extensions.d/S40sshd.sh start, but I immediately got an error message where the script tries to redirect output to /dev/console. /dev/console is a non-existent device on my machine so that is why the startup script doesn't get very far. If I remove that redirection from the script, sshd starts and generates a bunch of keys, but also some warning messages.
5) Tried to use Putty from a windows machine to get in via ssh. This warns me that keyboard direct verification by password is being used, but I can't get any of my known passwords accepted.
6) Tried to use ssh email@example.com
from a Ubuntu laptop. It asks me for a password, but if I just press return three times it then asks me for root's password and I can log in via ssh.
In essence this is a great improvement because I can get a root shell, assuming that clearing out the root password would be effective (I didn't try that since I would risk losing root access).
Something is still very strange about the way sshd is authenticating. I've never seen this before.